Evidencing cybersecurity measures in ship architecture: How can Lloyd’s Register ShipRight Procedures help?
With cyber attacks increasing by 900% on the maritime industry over the last 3 years, it’s never been so important for this sector to address their cybersecurity landscape. As cyber-attackers develop increasingly sophisticated methods to infiltrate a ships operational technology, we are beginning to see that ship owners must now consider integrating cybersecurity requirements into the technical designs and architecture proposals for new builds and refits from an early stage.
As of January 2021, not only will it be in the interests of ship owners and operators to consult cybersecurity best practice as the foundations of ship development, it will be a requirement by the International Maritime Organisation. In order to keep a vessel ‘in class’, it is now essential for maritime organisations to be able to demonstrate a set of robust cybersecurity controls that are pragmatic, appropriate and relevant to the risks they face. So how can ship owners approach need and requirement?
How to ensure early integration of cybersecurity measures
A strategic and forward-thinking approach is recommended to ensure that maritime organisations are implementing and maintaining a good cybersecurity stance, in which current Nettitude and Lloyd’s Register clients will be familiar with the Lloyd’s Register Cybersecurity Framework (LR CSF). In order to acknowledge the differences between the physical parameters of a ship and its digital attack surface, the LR CSF sits above the scope of Class itself to address holistically the operational capabilities, the governance and the assurance aspects of managing cyber safety, resilience and risk. However, after mastering the approach, there needs to be a way to evidence that the ship meets the controls required by the Class Descriptive Note (DN).
This is where Lloyd’s Register Cybersecurity ShipRight Procedures comes in. The requirements and controls evidenced against ShipRight will enable objectives, cyber risk appetite, designed capability levels and operational maturity levels to be defined against a baseline; which will lead to the issue of a Cybersecurity Descriptive Note.
What purpose does the ShipRight Procedures perform?
The ShipRight assessments encompass a wide range of technology, but also touch on people and process requirements. Often this will be the owner as they will centrally manage many of the controls.
The Cybersecurity ShipRight procedures are designed and built with the following in mind:
- Focused on all aspects of IT and OT onboard a vessel as defined by key domain areas;
- Designed to meet all regulations and industry guidance as they are formally released (e.g. IMO cyber resolution, ISM Code DOC Audits);
- Linked to industry standards, IACS Recommendations and the LR Cybersecurity Framework (CSF);
- Focused on specific components;
- Extended to people, process and technology;
- Based on four levels of designed capability and operational implementation.
The Cybersecurity ShipRight procedures focus on ship-based assets and cover technology, process and people aspects of cybersecurity. These are not just restricted to onboard systems but can include cloud-based applications and services.
What industry standards do the ShipRight Procedures encompass?
Each domain sets out a set of outcomes that can be used to measure what good practice looks like and references the following industry standards:
- NIST Cybersecurity Framework (CSF)
- NIST 800-53 control set (including NIST 800-82 ICS overlays)
- IEC 62443 (mostly related to part 3)
- ISO 27001 Annex A and ISO 27002
- IACS Recommendation on Cyber Resilience
What Risk areas does the ShipRight Procedures encompass?
Cybersecurity is a complex, emerging and developing risk area for connected ships and ships systems. To provide clarity, Lloyd’s Register and Nettitude have established a set of cybersecurity risk areas (hereafter referred to as domains) that are considered in the Cybersecurity ShipRight procedures when assessing cyber security designed capability for both new builds and in class vessels.
New Build Risk Areas:
The following five domains have been created within the Cybersecurity ShipRight (Design & Build) procedures:
Operational Risk Areas:
The following eight domains have been created within the Cybersecurity ShipRight (Operational) procedures:
What is the ShipRight Procedures assessment process?
The ShipRight Procedures allow us to evaluate the current status of one or more components on board of a vessel (already built or under construction) against the LR Cyber ShipRight standard, to understand the current cybersecurity maturity level associated with those selected components and identify areas of improvement, development or concerns.
The process below will be followed for both Design & Build and Operational assessments. The Design & Build assessment will occur during ship building or during an upgrade or installation of a new system. The Operational assessment will only occur when systems are in operational use.
Why should I partner with Lloyd’s Register and Nettitude to evidence my cybersecurity measures?
When partnering with Nettitude, the cybersecurity arm of Lloyd’s Register, you can expect to benefit from the following attributes we hold:
- Access to highly experienced, proven and capable cybersecurity services applied to many diverse sectors, industries and geographies.
- 180+ focused cybersecurity consultants, experts, analysts and researchers.
- Wealth of experience and background across diverse sectors, mature to immature, CNI to start up, hospitality to global enterprises.
- In depth knowledge of global cyber standards, regulations and frameworks.
- Proven innovation within sectors around risk management, threat intelligence, governance and strategic frameworks, detection and response abilities and penetration testing.
- An understanding of the holistic cyber threat landscape and how to protect, monitor and govern the risks. Not just vessel security risks but shore, third party, cloud and people-focused risks.
- An in-depth experience of cyber needs and requirements. This brings the one key area of knowledge to LR customers that, combined with their business and operational knowledge, creates a unique partnership.
Overall, to simply put it, the Lloyd’s Register cybersecurity ShipRight procedures will help you to maintain your license to operate. The ShipRight procedures comprehensive set of requirements will ensure you maintain a high standard of safety, quality, and reliability at the design and production stages of ship construction, which allow for the issue of the Class Descriptive Note.
Ready to get the ball rolling? Reach out to your local Nettitude team for more information.